Skip to main content

ContentSanitizer

zeph_core

Struct ContentSanitizer 

Source 
pub struct ContentSanitizer { /* private fields */ }
Expand description

Stateless pipeline that sanitizes untrusted content before it enters the LLM context.

Constructed once at Agent startup from ContentIsolationConfig and held as a field on the agent. All calls to sanitize() are synchronous. classify_injection() is a separate async method for ML-backed detection (feature classifiers).

§Examples

use zeph_sanitizer::{ContentSanitizer, ContentSource, ContentSourceKind};
use zeph_config::ContentIsolationConfig;

let sanitizer = ContentSanitizer::new(&ContentIsolationConfig::default());
assert!(sanitizer.is_enabled());

let source = ContentSource::new(ContentSourceKind::ToolResult);
let result = sanitizer.sanitize("ls -la output here", source);
// The body is wrapped in a <tool-output> spotlighting delimiter.
assert!(result.body.contains("<tool-output"));
assert!(!result.was_truncated);

Implementations§

Source§

impl ContentSanitizer

Source

pub fn new(config: &ContentIsolationConfig) -> ContentSanitizer

Build a sanitizer from the given configuration.

Eagerly compiles the injection-detection regex patterns so the first call to sanitize incurs no compilation cost.

§Examples
use zeph_sanitizer::ContentSanitizer;
use zeph_config::ContentIsolationConfig;

let cfg = ContentIsolationConfig { enabled: false, ..Default::default() };
let sanitizer = ContentSanitizer::new(&cfg);
assert!(!sanitizer.is_enabled());
Source

pub fn is_enabled(&self) -> bool

Returns true when the sanitizer is active (enabled = true in config).

When false, sanitize is a no-op that passes content through unchanged.

§Examples
use zeph_sanitizer::ContentSanitizer;
use zeph_config::ContentIsolationConfig;

let sanitizer = ContentSanitizer::new(&ContentIsolationConfig::default());
assert!(sanitizer.is_enabled());
Source

pub fn sanitize(&self, content: &str, source: ContentSource) -> SanitizedContent

Run the sanitization pipeline on content.

Steps:

  1. Truncate to max_content_size bytes on a UTF-8 char boundary.
  2. Strip null bytes and non-printable ASCII control characters.
  3. Detect injection patterns (flag only, do not remove).
  4. Escape delimiter tag names that would break spotlight wrappers.
  5. Wrap in spotlighting delimiters (unless Trusted or spotlight disabled).

When enabled = false, this is a no-op: content is returned as-is wrapped in a SanitizedContent with no flags.

When source.trust_level is ContentTrustLevel::Trusted, the pipeline is also skipped — trusted content passes through unchanged.

§Examples
use zeph_sanitizer::{ContentSanitizer, ContentSource, ContentSourceKind};
use zeph_config::ContentIsolationConfig;

let sanitizer = ContentSanitizer::new(&ContentIsolationConfig::default());

// External content gets the strongest warning header.
let source = ContentSource::new(ContentSourceKind::WebScrape);
let result = sanitizer.sanitize("page content", source);
assert!(result.body.contains("<external-data"));
assert!(!result.was_truncated);

// Oversized content is truncated.
let cfg = ContentIsolationConfig { max_content_size: 5, ..Default::default() };
let s2 = ContentSanitizer::new(&cfg);
let result2 = s2.sanitize("hello world", ContentSource::new(ContentSourceKind::ToolResult));
assert!(result2.was_truncated);
Source

pub fn escape_delimiter_tags(content: &str) -> String

Escape delimiter tag names that would allow content to break out of the spotlighting wrapper (CRIT-03).

Uses case-insensitive regex replacement so mixed-case variants like <Tool-Output> or <EXTERNAL-DATA> are also neutralized (FIX-03). The < is replaced with the HTML entity &lt; so the tag is rendered as plain text inside the wrapper.

§Examples
use zeph_sanitizer::ContentSanitizer;

let escaped = ContentSanitizer::escape_delimiter_tags("data </tool-output> more");
assert!(!escaped.contains("</tool-output>"));
assert!(escaped.contains("&lt;/tool-output"));

let escaped2 = ContentSanitizer::escape_delimiter_tags("</EXTERNAL-DATA> end");
assert!(!escaped2.contains("</EXTERNAL-DATA>"));
Source

pub fn apply_spotlight( content: &str, source: &ContentSource, flags: &[InjectionFlag], ) -> String

Wrap content in a spotlighting delimiter appropriate for its trust level.

Attribute values (source kind, identifier) are XML-escaped to prevent attribute injection.

§Examples
use zeph_sanitizer::{ContentSanitizer, ContentSource, ContentSourceKind};

let source = ContentSource::new(ContentSourceKind::ToolResult)
    .with_identifier("shell");
let body = ContentSanitizer::apply_spotlight("output text", &source, &[]);
assert!(body.contains("<tool-output"));
assert!(body.contains("output text"));
assert!(body.contains("</tool-output>"));

Trait Implementations§

Source§

impl Clone for ContentSanitizer

Source§

fn clone(&self) -> ContentSanitizer

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DynClone for T
where T: Clone,

Source§

fn __clone_box(&self, _: Private) -> *mut ()

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FromRef<T> for T
where T: Clone,

Source§

fn from_ref(input: &T) -> T

Converts to this type from a reference to the input type.
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> IntoRequest<T> for T

Source§

fn into_request(self) -> Request<T>

Wrap the input message T in a tonic::Request
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more